Yahoo gets hacked as 400,000+ plaintext credentials are posted online

Yahoo gets hacked as 400,000+ plaintext credentials are posted online

Yahoo has reportedly been hacked after the plaintext credentials for 400,000 logins were found to have been posted online, according to security expert Trusted Sec.

The report — via Ars Technica — suggests that the user data is from the company’s Yahoo Voice calling service, Yahoo Voices content network, and the security firm has expressed its concern that it was so easily accessed:

The most alarming part to the entire story was the fact that the passwords were stored completely unencrypted and the full 400,000+ usernames and passwords are now public. The method for the compromise was apparently a SQL Injection attack to extract the sensitive information from the database.

The posting contains the plaintext credentials for 453,492 Yahoo accounts, and is intended to serve as a “wake-up call…not a threat”, according to a comment that accompanied the data dump.

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat. There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage.”

The Yahoo Voice calling service is powered by voice over IP (VoIP) company Jajah, following a deal that was inked in 2008. At this stage, however, it appears that the issue lies with Yahoo rather than Jajah.

We’ve reached out to Yahoo for more details.

It’s worth noting that TrustSec refers to Yahoo Voice as formerly being Associated Content (the content platform it bought for $100 million) but that is incorrect, that service was later renamed Yahoo Voices.

Looking through a variety of sources, it appears that the compromised server was likely “Yahoo! Voice” which was formally known as Associated Content (credit to Adam Caudill for the linkage).

From that wording, it appears that Yahoo Voice (sans s) was the service targeted but we’ve contacted TrustSec to confirm that.

UPDATE: We’ve received confirmation that it was indeed the former Associated Content network now known as Yahoo Voices that has been compromised.

Image via Shutterstock / Stephen Mcsweeny

Read next: Japanese advertising giant Dentsu buys UK-based Aegis for $5 billion